The Tanzu Quickstart guide does a good job of outlining the IPs needed, and sizing considerations for the workload subnet.  I chose to do /24 subnet for my workload network because it is the easiest one for me to manage.

I mentioned previously I also decided to do HAProxy in the FrontEnd configuration, with the FrontEnd subnet being my home/management network. This makes my HAProxy look something like this


  • Management IP:
  • Frontend =
  • VIP Range =    or
  • Management/FrontEnd Gateway IP:
  • Workload Network Load Balancer IP:
  • Workload Network Gateway IP:


  • Management IP:
  • Workload IP:


  • Management IPs: DHCP
  • Workload IP Range: – 200

A few things to note

Pfsense is the “router” into the workload domain, this is why the Workload IP for Pfsense is the gateway IP on the Workload Subnet. Since we are using the FrontEnd configuration for HAProxy, most of the traffic into the Workload subnet will get there through the VIP range on HAProxy. This VIP range is the range Tanzu will use to load balance the services and supervisors it creates.

This configuration of using my normal home network for the management network is also only possible because I have my DHCP server configured to NOT distribute all of the IPs in the /24. This bring me to the next topic.

Network Prereqs


I currently use PiHole as my home DNS/DHCP server. On the DHCP side, I only have it distributing IPs 200-240.

IPs from 2-199 are statically set by me. This allows me to set and configure my various homelab components without worrying they will conflict with DHCP.

For those wanting to have a similar Tanzu setup, confirming static and DHCP ranges in your home is an important first step.


I mentioned most of the time we will be accessing the Workload network through the VIP Range on the management/home network. However, we may still need to access that network without HAProxy. In order to do this our devices will need a route in order to navigate to the Workload subnet.

This route is currently set on my home Asus Router:

Nothing fancy here. Simply let the router know when devices come looking for IPs in the range, they need to be forwarded to This IP is the home network side of Pfsense, which will get the traffic to the workload subnet.

Workstation Hosts

My ESXi hosts are of the embedded type, and live in VMware Workstation. To facilitate the workload network, I created a new nic on each of the hosts for this traffic.

In VMware Workstation, Edit- Virtual Network Editor:

Now we want to create a new network and make it host only. Once complete it should look like this:

The IPs mentioned above aren’t used(as the box isn’t checked), so it doesn’t matter what is listed there.

With the network created, we need to add it to each host. On each host go to Settings:

We want to add a new network adapter and connect it to that host-only network we just created. Note the device(/dev/vmnet8) matches what we created above.

Because these are embedded ESXi hosts, we also need to make sure Promiscuous mode is allowed for this network. It is only a couple of quick commands and found here:

This probably goes without saying, as I imagine anyone reading this is already very familiar with standard vSphere management, but we also need to create this network with the appropriate uplinks in vCenter. In this instance, it is a portgroup on a VDS which only has one uplink(the one we just created).

I believe we are now ready to start deploying Pfsense and HAProxy!!!!